Eavesdropping a fax machine

July 1st, 2013 at 14:55 UTC by Markus Kuhn

I was intrigued this morning to see on the front page of the Guardian newspaper a new revelation by NSA whistleblower Edward Snowden: a US eavesdropping technique “DROPMIRE implanted on the Cryptofax at the EU embassy [Washington] D.C.”. I was even more intrigued by an image that accompanied the report (click for higher resolution):

The Guardian, 1 July 2013, page 1

Having done many experiments to eavesdrop on office equipment myself, the noisy image at the bottom third of the picture above looked instantly familiar: it is what you might get from listening with a radio receiver on the compromising emanations of a video signal of a page of text.

Unfortunately, the Guardian so far provides no technical details other than a brief mention that some of the eavesdropping techniques used involve “collection of transmissions with specialised antennae”. The Guardian piece also interprets the above slide as a reference to “a bug placed in a commercially available encrypted fax machine used at the mission”, but does not provide any further details.

I know nothing more about this specific case than what was in the Guardian this morning, but the noisy image shown gives a few clues. Look closely at the large-letter text “EC NCN”:
magnified detail
You may spot that only vertical edges of these letters are showing up as bright lines. The corresponding horizontal edges are largely missing (e.g., E, N).

Imagine the device being eavesdropped is a fax machine with a laser-print engine. A laser beam exposes one image pixel after another on a photo-sensitive charged drum. If the laser is on, the spot it hits on the drum is discharged of static electricity, and the toner will not stick, resulting in a white pixel. If the laser is off, the surface of the drum remains charged, the toner sticks, and is transfered onto the paper, resulting in a black pixel. A typical laser printer contains a single laser diode that draws one pixel after another on the printed page, line by line. Now each time the laser diode is switched on or off, an electromagnetic “click” emerges from the cable that powers it, which can be heard with a radio receiver tuned to many otherwise quiet parts of the radio spectrum. At pixel frequencies of a few megahertz (depending on the print resolution and speed), a normal AM radio designed for humans listening will not be able to resolve such a rapid sequence of clicks, but a good laboratory receiver with a bandwidth of many megahertz will. The resulting waveform can be digitized and converted into a raster image (see publications below for details).

Let’s simulate, what eavesdropping a laser printer writing “EC NCN” might look like: the first figure below is the text to be eavesdropped, and the second figure is what the eavesdropper would see as a result:

simulated AM-demodulated signal

As the laser beam scans the text image line by line, each time it switches on or off, that is each time it transitions between a white and a dark area, we can visualize the resulting broadband “click” as a bright pixel. Any vertical edge of a letter turns into a bright vertical line, whereas horizontal edges remain invisible. Plus you get background noise, from all the many other things going on in that part of the radio spectrum at the same time.

In the image above, I have merely simulated this process, namely approximated the bandpass filtering and amplitude demodulation of a radio receiver by taking the horizontal derivative of the input image, and then the absolute value, plus adding a bit of noise. The result will certainly differ somewhat from the image in the Guardian, perhaps due to different fonts and resolutions being used and the eavesdropped signal being a scanned image in which lines of text are not perfectly horizontal. The image in the Guardian also shows the text being slanted backwards quite a bit, which is an effect that you get if the eavesdropper has not adjusted the horizontal scan frequency used perfectly. If that is in fact the case here, I would actually be a bit disappointed: I would have expected the NSA to master the signal-processing tricks that could be used to automatically align the eavesdropped image precisely with the pixel-clock of the emitting device.

What remains unclear is what exactly the NSA may have “implanted on the Cryptofax” device. The eavesdropping attack on the power-supply current of a diode laser, as outlined above, can work well on an unmodified device, without any “eavesdropping bugs” implemented, as a purely passive attack. However, the resulting signal may not be very strong, and difficult to receive more than a few (tens of) meters away, without heroic, radio-astronomy-style antenna designs.

On the other hand, if the enemy had physical access to the targeted device, they could install a custom-made transmitter inside it. That could just pick up the processed datastream from one of the internal digital interfaces and send it out using proper digital modulation and error-correcting codes, which should result in an image as clear as that being printed, without any background noise.  The image does not look like this is what has happened here, due to the noise and scan-line artefacts mentioned above.

So I can only speculate what the “implant” might refer to instead:

  • The NSA might have modified the device, but without installing additional electronics, in order to reduce the probability of discovery. They might have made some minor, purely mechanical changes, to strengthen an existing accidentally emitted signal. An easy way to achieve this is to manipulate the ground-return path. Good electronics designers ensure that any current returns to the source along the same path as it came, e.g. via a twisted-pair cable. By disconnecting a ground-return line and sending the current back on a detour via some other metal structure in the device, you can effectively build a transmitter coil, and substantially increase the signal leakage without leaving any obvious traces (such as additional circuit boards with transmitters). They could also remove shielding material, short-circuit or remove low-pass filters designed to suppress radio interference, basically do the opposite of anything an electromagnetic-compatibility textbook advises.
  • They might have installed nearby (within a few meters, possibly on the same mains power circuit) a device that records any compromising emanations as described above, and then retransmits them over a much larger distance for further analysis.
  • They might have installed something that “illuminates” the target device with microwave radiation, perhaps through a window, and then look at interesting data in the back-scatter signal. Every bit of wire acts as both a receive and transmit antenna, and reflects electromagnetic waves as a result. It will reflect some frequencies better than others, depending not only on its length, but also on how the ends are terminated (e.g., left open or grounded). If the termination of a wire changes in a data-dependent way, beaming RF energy at a suitable frequency at it and listening to what comes back may allow eavesdropping from a much larger distance than just passive listening.
  • If a non-linear device (transistor, diode) is connected at the end of the wire, then the state of that (open, closed) will also affect what harmonics are being created. This can be exploited by an eavesdropper listing to backscatter radiation at an integer multiple of the frequency at which the device is being illuminated.

Many of these techniques have been speculated about or demonstrated in a laboratory setting in the open literature. But there is very little hard evidence of how widely they are used in practice to violate someone’s privacy or steal secrets, because the people who perform such eavesdropping attacks in real life (as opposed to academic laboratories) are not in the habit of publishing their work. Therefore, I am thankful for this little glimpse of a contemporary real-world TEMPEST-style attack!

Related literature:

Entry filed under: Hardware & signals, News coverage

7 comments Add your own

  • 1. Juergen  |  July 2nd, 2013 at 10:12 UTC

    If the data really is acquired through a TEMPEST attack on the laser hitting the drum the same attack would also be possible for laser printers… time to dig out those old Oki LED-line printers ;-)

    Theoretically, even inkjet printers might produce a tiny signal when they fire the individual tubes in the print head…

  • 2. Andrew D. Todd  |  July 2nd, 2013 at 18:52 UTC

    It would be significantly harder to employ this attack against an ink-jet printer.

    It is much simpler to build a print head of many nozzles to operate in parallel rather than sequentially. The simplest way to build an inkjet print head is as follows, each nozzle is connected by a power transistor to a common capacitor, and the ground of the nozzle is connected to a common connection to the other lead of the capacitor. The capacitor is big enough that the voltage does not fluctuate significantly according to how many nozzles are fired, and is as close as possible to the print head. The input of each power transistor is connected to an AND gate. One input of each AND gate is connected to a data bit of a bus. The other input is connected to a common strobe. The data bus is probably connected up in a fairly direct fashion to an integrated circuit which recieves data in some compressed format, and expands it into bits. You might find that a typical print-head is depositing ink over a swath half an inch wide at each pass, in order to have enough space for the different nozzles and their apparaturs to be mounted in parallel.

    The greater the performance of an inkjet printer, the greater the number of nozzles. This is a limitation inherent in the viscosity of the ink. The flow resistance of the ink varies as the inverse cube of nozzle diameter. Physical motion does not obey the same laws as light or electricity. If you wanted to make an inkjet printer to rival a laser printer, you would need to have a print head eight and a half inches long, which is mounted across the page and does not move back and forth, with thousands of nozzles, and provide it with some kind of fault-tolerant system to allow for clogged nozzles. It is quite possible that with the new OLED transistors, such a print head would be economically feasible.

  • 3. James M. Atkinson  |  July 4th, 2013 at 17:02 UTC

    Eavesdropping on inkjet printers is tremendously easier then most people realize. For each droplet of ink the printer creates a fairly strong spike of electrical energy, and these spikes provide a signature specific to each printer model.

    Once the printer model is known the spy can then collect this signal given off of the printer and reconstruct what was printer, often in much higher detail and resolution than the image that was originally printer on the paper.

    Because inkjet printer use watermarking (faint yellow letters and numbers that most people can not see unless then look at the paper under a UV light).

    A technically minded person can actually reconstruct documents based merely on a receiver positioned as a distance to the printer.

    It is also possible (and more common) to actually install a transmitted on the data port on the printer so that everything sent to the printer gets transmitted, but these are quite easy to detect.

    The same is true of a digital computer monitor, here the pixels can be eavesdropped upon at a considerable distance, but the optimal way is to either bug the video card or the monitor itself (and not merely to resort to passive eavesdropping).

    The bandwidth of the power lines and secure phones is fairly limited, but a spy can internally buffer and store the “secure” communication into a digital buffer or memory inside the fax machine, secure phone, or even photocopier and once this data is stored then can slowly transmit it down the power lines with a fairly simple modification to the fax machine, copier, or secure telephone (MAJOR TSCM HINT: Always, without exception check the power supplies at the board and component level to catch this). By slowing down the transmittal of the document, then it can be transmitted out of the secure area and use the reduced bandwidth of power lines. This is one of the optimal methods of getting classified data off of a “secure fax”, “Secure Phones”, and other “Secure” devices where the device or power supply is modified.

    A “secure inkjet printer” is a bit of a joke, as there is no such product.

    There is also the good old fashion method is bugging the copy machine, or laser printer, and this can be done by storing the pages on the internal hard drive, or memory and then the spy collecting the contents through a variety of interesting methods.

  • 4. Markus Kuhn  |  July 4th, 2013 at 18:11 UTC

    I can think of several factors that can make reconstructing the image printed by an ink-jet from the drive-current emissions quite a bit more complicated than with a laser printer.

    Firstly, laser printers scan the entire page width at a constant line rate. In contrast, most ink-jet printers optimize the head motion and move the head only as far as necessary (i.e., where text is), which leaves less certainty for the eavesdropper to predict at which point in time the head is where, especially with text with ragged right margins.

    Secondly, laser printers scan each line at a constant rate, resulting in a fixed pixel frequency. In contrast, many ink-jet printers accelerate their print-head with a DC motor while printing, resulting in a variable pixel frequency. The print-head is then connected to an optical position encoder (e.g. a long transparent strip with a fine line grating, spanning the width of the page). There is often a driver chip located right next to the print head that receives via an elastic cable from the CPU a list of pixels to be printed in advance, buffers them, and then fires the ink nozzles whenever the optical encoder tells it that it has reached the right position for the drop. The actual accelleration achieved by the print head will depend slightly on environmental factors (lubrication, temperature, age, etc.), adding a bit of non-determinism to everything.

    Finally, while a laser printer uses just a single beam deflected by rotating mirrors, an ink-jet printhead has dozens of nozzels that fire in parallel. That will make it more difficult for the eavesdropper to distinguish between the signals from individual nozels, meaning that you know that ink is flowing, but not quite at what Y coordinate.

    There may well be ways to overcome all of these obstacles, but they seem far from trivial, require an in-depth analysis of the exact technology used, and may only be practical under excellent reception conditions:

    1. Some ink-jets avoid firing nozzles exactly at the same time, as this would create unwanted aerodynamic interactions between droplets flying right next to each other. If they slightly phase the release of the droplets at each X coordinate to avoid these effects, that can effectively serialize the pixel impulses again, making it easier for an eavesdropper to distinguish to which line the ink belongs.
    2. Likewise, the variable pixel frequency could be observed directly by measuring inter-pulse intervals (as in a clock-recovery PLL), and the head position infered from that via numeric integration.
    3. Finally, the last line of one pass of the head and the first line of the next pass will usually be nearly identical, which again will help an eavesdropper to puzzle the image together. (Anyone remembering my cross-correlation exploits 20 years ago?)

    So in theory, I can see how to eavesdrop on an ink-jet, but you will have to spend many weaks in the laboratory with a reference printer of the same type, before you have figured out how to make sense of its compromising emanations.

    I’d be delighted to see a good eavesdropping demo for an ink-jet printer that achieves a readability comparabe to that of the printed page!

  • 5. Jerry  |  July 6th, 2013 at 08:09 UTC

    Faxes are encoded using a scan length encoding scheme using a type of Huffman coding.

    The net result is that there is distinctive computational activity at the beginning and end of either a black or a white contiguous segment on a scan line.

    This means you can’t rule out detection of particular types of processor activity when the decision is made to draw white or black on the line segment.

    There is a more advanced fax encoding algorithm that uses references to the previous line content. However the bursts of computational activity remain pretty much the same.

  • 6. Nick P  |  October 1st, 2013 at 16:03 UTC

    Here’s what I think:

    1. It looks like a processed emission so they’re probably collecting it that way.

    2. They prefer something that’s deniable.

    3. They planted something there.

    I think they probably just strengthened the emanations that are already occurring. They might have planted a material or [intentionally] defective part that has this effect. It would be unlikely that anyone find it and if they do it looks like it could be a manufacturer’s innocent mistake. That would be ideal.

    Far as transmitters and such, our spy agencies know the opponents do sweep for transmitters and might detect a variety of bugs sending radio signals. They also know emanation attacks are esoteric and most devices are vulnerable to them. So, it would seem stealthier to use emanation attacks. And it follows to use a bug that enhances the emanation while looking like a vanilla defect.

  • 7. Clive Robinson  |  October 2nd, 2013 at 09:12 UTC

    Markus,

    With regards the origin of the signal, whilst the laser on printing out does generate nice little spikes it could also be from the input side.

    That is when scanning the input a change from black to white or white to black will cause changes in CPU activity.

    I suspect for operational reasons they would have wanted to capture both the inbound and outbound faxes (Unlike Email people don’t generaly include the other persons message in faxes).

    With regards the skew on the image, I suspect that it’s a physical input error not a sync issue. If you look at a line of text it is skewed by about the same angle as the edges of the charecters. If it was an electronic sync issue then the line of text would be level not skewed. Thus I suspect it may be either a pinch roller issue or manual placing issue on a flat bed scanner.

    What is not said in the slide is who manufactured the “Cryptofax”, it is of perhaps some note that it is a trade name of a company near Zug in Switzerland, although like “Hoover” it’s falling into more general use. At the time of the “bugging” the Swiss company Crypto AG model that was current was the HC-4221.

    Now I don’t know how far back your memory goes but Crypto AG has a bit of a checkered history. Some of the contributors and readers of this blog will remember that a Crypto AG employee was arrested abroad after allegations that Crypto AG had colluded with the NSA to put backdoors in their products sold to other countries. The employee was eventually released but on returning home was subjected to legal proceadings by both Crypto AG but the Swiss Government as well…

    Now the NSA are known to have “funny moments” with selecting Code words think of TEMPEST and the active attacks project called TEAPOT and the common expression “Tempest in a teapot”. I note that DROPMIRE is the shortening of another common expression of “Dropped in the mire”, which is certainly what happened to the Crypto AG employee and Crypto AG themselves who very nearly went out of business because of the collusion allegations.

    Such purile humour is quite common in intel organisations especialy with regards to other intel organisations within their own country that they view as “turf stealers”. In the Diplomatic Wireless Service (DWS) they regarded themselves as the most senior of the organisations and looked down on the others as “trade not gentelmen”. Thus of the head of the Met Police which carries a knight hood with the job they refered to him as “Sir Met” but pronounced as cement, which if you wore over shoes made of it would certainly make you “plod” (a common disparaging name for the police). Like wise for the SS, the head of “The Service” was traditionaly called “C” and thus in the DWS was called “Sir C” pronounced as “Cerce” who for non classasists is the “Wicked Witch” minnor deity of magic in Greek mythology who murdered her husband, and was imprissoned on an island, and when escaping from the consiquences of her mistakes “scorched the earth”.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

July 2013
M T W T F S S
« Jun   Sep »
1234567
891011121314
15161718192021
22232425262728
293031